Transitioning from SAS 70 to SSAE 16 and ISAE 3402

Old Standard Gets Pushed Out for Something New

By Jeff Lewis, CPA and Charlie Wood, CISA

Since 1992, Statement on Auditing Standards (SAS) No. 70  has provided guidance on reporting on controls at a service organization.  However, the International Auditing and Assurance Standards Board (IAASB) and the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) have recently approved new literature for reporting on controls at a service organization.  Under the new literature adopted by the IAASB and the ASB, SAS 70 will be replaced by two standards:

1. A service auditor’s standard - A new standard that guide service organization auditors in the conduct of an examination of, and the resultant reporting on, controls at a service organization.

2. A user auditor’s standard - An auditing standard that will guide user auditors in consideration of internal controls when processing is performed by a service organization.

Whether driven by regulatory requirement or by a Board of Directors focusing on corporate governance, the design and implementation of internal control over financial reporting have become key responsibilities for management. This trend toward strong internal control has occurred simultaneously with a continuing trend to outsource functions that may be significant to an organization’s operations.  As a result, many enterprises have found that they have transferred the performance of many of their key controls to third-party service organizations.  However, while the execution of these controls can be outsourced, management’s responsibility for maintaining an effective system of internal control cannot be outsourced. 

SAS 70 reports were originally intended to be a communication from the service auditor to the independent auditor of the user organization that permitted auditors of user organizations to fulfill auditing standards that require an understanding of internal control, even if they are outsourced to third parties.  However, user entities have realized the benefits of such a report and of using a SAS 70 report as part of their risk management and vendor management processes.  Furthermore, with the adoption of various internal control regulations (i.e., the Sarbanes-Oxley Act (SOX) in the US or similar laws in other countries), management now has formally prescribed responsibilities and requirements with regard to its assessment of internal controls over financial reporting. Many of these responsibilities are core aspects that continue to be important for a user entity to consider.

Differences
For example, in the United States, the ASB has adopted a new attestation standard Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization, and the IAASB has issued ISAE 3402, Assurance Reports on Controls at a Service Organization, which is substantively equivalent to SSAE 16.  SSAE 16 defines the performance requirements for “examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.”

While the new attestation standard for service auditors has many similarities to the current SAS 70 standard, some significant changes in the new attestation standard  are noteworthy:

• The new standard for service auditors will fall under the “attestation” standards instead of the “auditing” standards.  This means that the service auditor’s report will change from its current form and will also require additional responsibilities for management at the service organization.

• Specifically, in a Type 2 report, management at the service organization will be required to present a written assertion about whether:

o Its description “fairly presents” the system that was designed and implemented throughout the specified period.
o The controls were suitably designed throughout the period to achieve the control objectives.
o The controls operated effectively throughout the period to achieve those control objectives.

• One of the service organization’s additional responsibilities related to this assertion is that management must have a reasonable basis to support its assertion.  While it is not anticipated that a “SOX-like” infrastructure is necessary to support its assertion, management must have a reasonably informed basis in making its assertion.  For example, monitoring activities currently in place at a service organization may provide evidence of the design and operating effectiveness of the controls in support of management’s assertion.
• Another significant change applicable for Type 2 reports is that the auditor’s opinions (and management’s assertion) on the fairness of presentation, suitability of design, and operating effectiveness of the controls are extended to address the entire reporting period.  Currently, the opinions on fairness of presentation and suitability of design are limited to the last day of the reporting period.
• An additional area that is being presented differently under the new service auditor standard relates to the use of the work performed by a service organization’s internal audit function.  If the service auditor places reliance on the work of the service organization’s internal audit function in performing its tests of controls (i.e., indirect assistance), the tests of controls and results section of the report should include a description of the internal auditor’s work and the service auditor’s work procedures with respect to that work.  With regard to direct assistance, SSAE 16 addresses the service auditor’s requirements when using the work of the internal audit function in a direct assistance capacity.  The International Standards on Auditing (ISAs) and the ISAEs do not provide for use of the internal audit function for direct assistance.

While these changes are significant, many aspects of the new standards are similar to or consistent with SAS 70, including:

• The underlying work effort by the service auditor is expected to be substantially the same.
• There are two types of reports: a Type 1 report, which includes only a description of controls, and a Type 2 report, which also includes tests of operating effectiveness).
• Type 2 reports should ordinarily cover a minimum of six months.
• The report is “limited” in its use, meaning that the report may be used only by the service organization, the service organization’s auditor, the user entities, and the user entities’ auditors.  The report should not be used by any other organization, including prospective clients or potential investors.
• Sample sizes are disclosed only when deviations are identified.  As indicated, the new standard applies to “controls (that) are likely to be relevant to user entities’ internal control over financial reporting.”  A report issued under this standard may not be combined with a report on controls that are not likely to be relevant to the user entity’s internal control over financial reporting.  For example, an ISAE 3402/SSAE 16 report over financial systems may not be combined with or include control objectives providing assurance over system availability, regulatory compliance, or information privacy.

Summary of next steps
While many of the changes previously discussed are significant and will impact user entities, service organizations, and auditors, it is important that user entities recognize that many of the concepts and principles remain consistent with the prior SAS 70 reporting standard.  As the date for applying the new standard approaches, user entities should take steps that will help to minimize the impact to business operations when the change occurs, such as:

• Engaging the service organization and auditor in a discussion to understand the impacts of the revised standard on the current approach (i.e., adoption time line and any changes to scope).
• Determining the service provider’s intended approach regarding whether the inclusive or carve-out method will be used with subservice organizations.  For those subservice organizations using the carve-out method of reporting, determine which service providers have subservice organizations that already provide SAS 70 reports.
• Reviewing and understanding the scope of the current SSAE 16/ ISAE 3402/ report and how it relates to the user entity controls.  If the scope of the report is not sufficient for user entity purposes or could be improved, use the new standard as an opportunity to reevaluate and initiate scope discussions with the service organization.
• Understanding the requirements and service provider obligations by reviewing service provider contracts and modifying contracts and service agreements as necessary.
• Communicating the changes and related impact to the stakeholders in the organization (finance, procurement, IT, legal, internal audit, risk management, compliance, vendor management, sales).

About the Authors:  Jeff Lewis, CPA, Partner, is an expert in conducting financial statement audits and reviews and providing a wide range of consulting services to both public and private companies.  Charlie Wood, CISA, is a Manager in Bonadio’s Enterprise Risk Management team.  With more than a decade of IT industry experience, Charlie’s focus is on security vulnerabilities, internal and external auditing, controls optimization and compliance, and project management.